[Date Prev][Date Next] [Chronological] [Thread] [Top]

performance problems with ldap auth - please help!

Hello,
I am having serious performance problems with group authentication. Here is my process:
apache -> pam -> openldap

It takes less than a second to pull up a page using normal htpasswd auth and anywhere from 7 to 14 seconds to authenticate from the ldap server.

When I do authenticate, here is what I see in the slapd logs:
Mar 1 18:35:39 atlas slapd[16889]: conn=196 op=51 SRCH base="ou=Groups,dc=domain,dc=com" scope=1 filter="(objectClass=posixGroup)"
Mar 1 18:35:39 atlas slapd[16889]: conn=196 op=51 ENTRY dn="cn=root,ou=Groups,dc=domain,dc=com"
Mar 1 18:35:39 atlas slapd[16889]: conn=196 op=51 ENTRY dn="cn=bin,ou=Groups,dc=domain,dc=com"
Mar 1 18:35:39 atlas slapd[16889]: conn=196 op=51 ENTRY dn="cn=daemon,ou=Groups,dc=domain,dc=com"
Mar 1 18:35:39 atlas slapd[16889]: conn=196 op=51 ENTRY dn="cn=sys,ou=Groups,dc=domain,dc=com"

The above gets repeated through ALL of my groups.

I attached my configs in separate files to make things easier.
Also, here is an example of an entry:

dn: cn=cvs,ou=Groups,dc=domain,dc=com
objectClass: posixGroup
objectClass: top
cn: cvs
userPassword: {crypt}x
gidNumber: 525
memberUid: td
memberUid: God

If someone is doing this, please email me so we can compare notes and find out where I am messing this up. :)

Thank you!!

--
Terry Davis
http://approbation.org/

# $OpenLDAP: pkg/ldap/servers/slapd/slapd.conf,v 1.8.8.6 2001/04/20 23:32:43 kurt Exp $
#
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#
include		/etc/openldap/schema/core.schema
include		/etc/openldap/schema/corba.schema
include		/etc/openldap/schema/cosine.schema
include         /etc/openldap/schema/inetorgperson.schema
include         /etc/openldap/schema/misc.schema
include         /etc/openldap/schema/nadf.schema
include         /etc/openldap/schema/nis.schema
include         /etc/openldap/schema/openldap.schema
include		/etc/openldap/schema/krb5-kdc.schema
include		/etc/openldap/schema/samba.schema
include		/etc/openldap/schema/evolutionperson.schema

schemacheck	on
#readonly	on

# ACL files
include		/etc/openldap/acls/acl1

pidfile		/usr/var/slapd.pid
argsfile	/usr/var/slapd.args

loglevel	768

#referral       ldaps://ldap.domain.com/

# Load dynamic backend modules:
# modulepath	/usr/libexec/openldap
# moduleload	back_ldap.la
# moduleload	back_ldbm.la
# moduleload	back_passwd.la
# moduleload	back_shell.la


#######################################################################
# ldbm database definitions
#######################################################################

database	ldbm
cachesize	10000
dbcachesize	3000000
suffix		"dc=domain,dc=com"
directory       /home/openldap/domain-ldbm
rootdn		"cn=root,dc=domain,dc=com"
rootpw		password
updatedn        "cn=root,dc=domain,dc=com"
updateref       "ldap://ldap1:389/dc=domain,dc=com";

# indexes
index	objectClass,uid,cn pres,eq
index	default pres,eq
index   sn,uidNumber,userPassword,givenName,telephoneNumber,mail,title,homePhone,mobile,pager,roomNumber,homeDirectory,loginShell,gecos,mailLocalAddress,mailRoutingAddress,mailhost,memberUid,gidNumber	eq

lastmod         on

# Your LDAP server. Must be resolvable without using LDAP.
host			ldap2
base			dc=domain,dc=com
rootbinddn		cn=root,dc=domain,dc=com
pam_member_attribute	memberUid
nss_base_passwd         ou=People,dc=domain,dc=com?one
nss_base_shadow         ou=People,dc=domain,dc=com?one
nss_base_group		ou=Groups,dc=domain,dc=com?one

#%PAM-1.0
#[For version 1.0 syntax, the above header is optional]
#
# The PAM configuration file for the `httpd' service
#
auth       required   /lib/security/pam_ldap.so
account    required   /lib/security/pam_ldap.so
password   required   /lib/security/pam_ldap.so
session    required   /lib/security/pam_ldap.so